On Mon, Dec 19, 2022 at 03:32:33PM -0500, Ranbir via FreeIPA-users wrote: > We have many users that run GNU/Linux workstations. At the moment > everyone is using local accounts. We want to convert them to IPA > clients and still allow them sudo privileges on their own workstations. > > It's easy to grant them access to their workstations by making them all > a member of a "workstation" AD group and letting them login with ssh, > GNOME, etc. What's less obvious is how to centrally give them sudo > access only on their own workstations. > > I could create an HBAC rule per person to give them sudo privileges to > their own workstation, but then I'll have to make hundreds of rules. > The only solution appears to be to keep the access (i.e. ssh, desktop > environment) centrally controlled in IPA, but make the custom sudo > access locally controlled. Is this the only way to do what I want? > Hi Ranbir,
I think you can use a single HBAC rule to allow all users to execute sudo on their workstations. But then you would need a distinct sudorule for each user/workstation pair to allow them full permissions on that machine. I don't see a way around it. But I could be overlooking something. It would be nice if you could associate workstations (hosts) to users directly, then automatically generate/infer HBAC and sudo rules (subject to domain-wide policy settings). Is it a known RFE? Thanks, Fraser _______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
